IPSec VPN with Virtual-Templates

nopslider · ‎01-28-2013

Hi,

I'm trying to configure remote access via a IPSec VPN with XAuth. The *relevant* lines of the config are below:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp client configuration group VPNCLIENTS

key <removed>

dns <REMOVED>

pool VPNPOOL

max-users 5

crypto isakmp profile VPNCLIENT

match identity group <REMOVED>

client authentication list VPNAUTHENLIST

isakmp authorization list VPNAUTHORLIST

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec df-bit clear

!

crypto ipsec profile VPNTRANSFORM

set transform-set AES256-SHA

!

interface Loopback0

ip address 192.168.202.1 255.255.255.248

!

interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

ip nat inside

ip inspect FWOUT in

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPNTRANSFORM

!

interface Dialer0

ip access-group internet_in in

ip access-group internet_out out

ip inspect FWOUT out

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip local pool VPNPOOL 192.168.202.2 192.168.202.6

!

ip nat inside source list NATACL interface Dialer0 overload

!

ip access-list extended NATACL

permit ip 192.168.202.0 0.0.0.7 any

I can authenticate with the VPN, and access internal hosts without issue - I'm trying to configure a "full" tunnel. Please note, we run non-RFC1918, public addresses internally, the NAT config above has been added just for the VPN cients. The probem is I can't access the Internet across the VPN. Looking at the nat translation table, there are entries being created, though it seems the router is dropping return traffic - e.g. if I do a term mon, I can see port 53 DNS packets and port 80 web traffic being dropped inbound when destined for the dialer 0 interface IP. I was expecting the "ip inspect" lines to permit the nat'd traffic?

To me, it looks like the "ip inspect" is adding sessions for the pre-nat 192.168.202 addresses, not the router's external interface.

Any help you can give would be most appreciated.

Andrew Phirsov · ‎01-28-2013

What if you delete "ip inspect FWOUT in" from the virtual-template interface?

nopslider · ‎01-28-2013

Same issue I'm afraid. Return packets still dropped. I've also tried associating the virtual template with a Vlan interface instead of the loopback interface to no avail.

Andrew Phirsov · ‎01-28-2013

Probably you should mark yoru dialer0 interface as ip nat outside

nopslider · ‎01-28-2013

Apologies, that is in the config...I removed it when I was extracting relevnt lines. It is definetly nating, its just not letting the return traffic back in. For completeness, the current dialer config below:

interface Dialer0

ip address negotiated

ip access-group internet_in in

ip access-group internet_out out

no ip unreachables

no ip proxy-arp

ip accounting access-violations

ip nat outside

ip inspect FWOUT out

ip virtual-reassembly in

ip verify unicast reverse-path

encapsulation ppp

dialer pool 1

ipv6 enable

ipv6 inspect FWOUT6 out

ipv6 traffic-filter adsl-ipv6 in

ppp authentication chap callin

ppp chap hostname

ppp chap password

no cdp enable

! note the below line refers to a site-to-site vpn, not the road warrior config this post is referring to.

crypto map VPNCMAP

Thanks

nopslider · ‎01-30-2013

The config is actually good. The problem was MTU related - which wasn't apparent due to the 'no ip unreachables' on the dialer interface.

The dropped nat packets I can only put down to something I screwed up during debuging. Thanks for all the help.